Stories

Exclusive: Users in dark about security products' effectiveness

Illustration of binary code with the shrugging ascii art, ¯\_(ツ )_/¯
Illustration: Aïda Amer/Axios

53% of IT security managers don't know whether the cybersecurity products they use actually work as promised, according to an upcoming survey from the Ponemon Institute and security firm AttackIQ.

Why it matters: It's a little unsettling to find out a captain has no idea if the ship is watertight.

  • Plus, if 53% seems bad, it's probably a whole lot worse. "People are more likely to say they are confident about themselves, so when you see a study showing low confidence, it’s possibly a lot worse," said Larry Ponemon, of the eponymous Institute.
  • The survey included 577 responses from IT managers.

The cybersecurity industry is good at inspiring a lack of faith in the cybersecurity industry.

  • Buzz words bandied about in slogans frequently generate as much skepticism as they do enthusiasm. The notion of snake oil products has been so pervasive that companies now advertise around it.
  • "You sometimes see companies market their products to the threat of the day but not adapt the tool," says Kiersten Todt, managing director of the Cyber Readiness Institute.

To be sure: Many cybersecurity tools are pretty good at what they do. The problem is that the function of security products is a black box — users can't see the gears turning to verify that a tool works or that they are using it properly.

  • "There’s been no methodical approach to check if a product is working as intended," said Chris Kennedy, chief information security officer at study sponsor AttackIQ, which sells products to simulate attacks.

The bottom line: In a better world, security products would inspire more confidence from the people who use them — especially given the cost of cybersecurity.

"Do you have confidence in your door locks?" Kennedy. says. "Put millions of dollars in investment into them, then, yeah, you should have confidence in the product."